Regulating data in the UK – political swarf #data #opendata

I was one of the non-partisan ‘expert panel’ that produced the ‘Digital Government Review’ delivered to the Labour Party. I did a lot of work on data regulation and Labour made a rare policy commitment to a review of data policy. Labour did not win the election but data will continue to be critical for anyone working on digital issues. So I thought I would publish some random notes I had made a while ago to feed into a data review, which now won’t happen. These flow from an article I wrote last year and discussions around that. In particular that the structures within which the ICO is created reflect a 1980s regulatory paradigm that doesn’t help the excellent people working there. My thinking is based on my experience restructuring the telecoms and broadcasting regulatory regimes in 2000 and longstanding professional interest in economic and social regulation. In no particular order:

move to a modern polluter-pays basis to fund a higher capacity regulator to handle the massive expansion in data processing. The ICO seems under sized – for instance OFCOM employs 790 staff, OFGEM 760, the ICO about 400. The ICO should be allowed to discriminate much more finely in its fee setting so that the very largest data users pay more and smaller users pay less. At present it has a two tier charging regime where SMEs pay about £35 and organisations with more than 249 staff pay the princely sum of £500, then the ICO has its shortfall for FOI work topped up by MOJ. Which makes no one happy and under resources ICO, as they point out. Essentially Google, Facebook, the Home Office etc should pay 99% of the ICOs fees, as the big telcos do OFCOM’s to fund a higher capacity regulator and SMEs should pay nothing. The micro economics of polluter pays are well understood.

De-personalise regulation. The ICO himself is the regulator – this is an old fashioned model from the early 1980s, that has been dropped in most modernised regulatory regimes (OFCOM, OFGEM etc). Move to to one where a board is the regulator with a strong CEO. This allows for a greater range of interests to be represented (eg data science etc on the board), de-personalises things a lot and broadens the regulator’s ability to manage different interests.

Modernise support of the laudable consumer facing approach. Most industry regulators (no matter what they say) are supplier-facing, with consumer-facing stuff bolted on badly later via a clunky Ombudsman arrangement. The ICO is firmly customer-facing but needs to modernise how it does that – especially though use of online forums etc to help people out in solving common or repeated data problems. Wading through the ICO website is a horrible process – it is so often quicker to ring them, which is highly inefficient.

Think hard about whether there may be an advantage to de-couple data from freedom of information regulation – they could be separated more clearly under a new board-governed regulator, but only if FOI work can be better funded without charging applicants. Find a way for the policy voice of the Campaign for FOI to be better heard – driving policy forward, rather than having to react to MOJ.

for the largest data processors introduce some form of ‘regulatory accounts’ that are far more detailed than their published reporting of data processing and are for the regulators eyes only.

up the international game – look at the work by John Podesta in the USA where he essentially challenged international trading blocs to work with the US on data protection and big tech companies. In a euro-sceptic climate the UK data regulator can and should play a more conspicuous international role, leading the European debate.

It’s more effective for intelligence regulators (whether Anderson’s ISIC or OFINT or OFSPY) to buy into the ICO expertise on data than slowly develop their own. A better funded, polluter-pays regulator would become an even greater centre of expertise in data matters. The ICO is shining a light into some horrific breaches by police. Create a secure cell that pulls together many aspects of data regulation of the intelligence community and police’s use of data and serves the existing intel regulators/overseers – who seem under resourced, particularly the ISC.

to do any of this find a very early opening for legislation to reform the data protection regime – there will need to be some reform if/when the EU data protection regulation needs implementing. This needs to be done much more urgently than it might seem so that reforms are actually enacted this parliament. A bill in year three is probably too late.

For the avoidance of doubt, all the above are my own views, not those of the panel on which I sat.